Cisco Traffic Anomaly Detector Module

Available Languages

Download Options

The Cisco® Traffic Anomaly Detector Module is an integrated services module for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers that helps large organizations protect against distributed denial of-service (DDoS) attacks or other network attacks by enabling users to quickly initiate mitigation services and block the attacks before business is adversely affected.

Based on a unique, patented multiverification process architecture, the Cisco Traffic Anomaly Detector Module (Figure 1) uses the latest behavioral analysis and attack recognition technology to proactively detect and identify all types of online attacks. By constantly monitoring traffic destined for a protected device, such as a Web or e-commerce application server, the Cisco Traffic Anomaly Detector Module compiles detailed profiles that indicate how individual devices behave under "normal" operating conditions. If the Cisco Traffic Anomaly Detector Module detects any per-flow deviations from the profile, it considers the anomalous behavior a potential attack and responds based on user preference-by sending an operator alert to initiate a manual response, by triggering an existing management system, or by launching the Cisco Anomaly Guard Module to immediately begin mitigation services.

DDoS attacks represent the fastest-growing form of threats facing online businesses today. These attacks, which have evolved from simple acts of publicity-seeking vandalism to highly focused events designed to disrupt an organization's business operations, have become increasingly relentless and malicious, causing significant harm to many businesses.

Attack techniques are also growing more sophisticated. Attackers mimic valid requests, spoof source identification, and use armies of compromised "zombie" hosts to overwhelm Internet data centers and existing defenses, making identification and blocking of the malicious traffic flows virtually impossible.

The Cisco Traffic Anomaly Detector Module works with the Cisco Anomaly Guard Module to provide a complete detection and mitigation solution that protects enterprises, hosting centers, government agencies, and service provider environments from DDoS attacks. When the Traffic Anomaly Detector Module identifies potential attacks through deviations from known "normal" behavior, it alerts the Anomaly Guard Module to begin diverting traffic destined for the targeted devices-and only that traffic-for inspection. All other traffic continues to flow normally, increasing the number of devices or zones a single Anomaly Guard Module can protect.

Diverted traffic is rerouted through the Cisco Anomaly Guard Module, where it is scrutinized to identify and separate "bad" flows from legitimate transactions. Attack packets are identified and removed, while legitimate traffic is forwarded to its original destination. This helps ensure that real users and real transactions get through, and provides maximum availability.

Cisco Traffic Anomaly Detector Module Benefits

Recognition and Learning

The Cisco Traffic Anomaly Detector Module monitors a mirrored copy of selected inbound traffic flowing through the Cisco Catalyst 6500 Series or Cisco 7600 Series chassis toward destinations under protection, building detailed profiles of "normal" behavior for each protected device without consuming valuable switch or router resources.

Using sophisticated behavior-based anomaly detection technology, the Cisco Traffic Anomaly Detector Module detects any activity that deviates from those profiles at both global and detailed session levels, enabling highly accurate identification of all types of known and "day-zero" attacks. Per-connection state analysis of all packets enables fast, thorough detection and identification of the most elusive and sophisticated attacks-from subtle, low-rate server resource exhaustion attacks to large-scale attacks launched by hundreds of thousands of distributed zombies.

The Cisco Traffic Anomaly Detector Module's behavioral recognition approach eliminates the need to continually update string signatures while reducing the volume of alerts and false positives common with static signature-based approaches. In addition, the Cisco Traffic Anomaly Detector Module comes preconfigured with default profiles for immediate operation, and automated learning allows users to create specific tuning recommendations that can be reviewed by the operator.

Multigigabit Performance

The high-performance Cisco Traffic Anomaly Detector Module monitors attack flows at full gigabit line rates-and with the capacity to identify more than 100,000 sources per module in an attack, providing robust protection for large, high-volume environments against distributed attacks.

In addition, multistage analysis of fully mirrored traffic delivers fast recognition of even the stealthiest low-rate attacks. To provide the greatest possible protection, the Cisco Traffic Anomaly Detector Module can be deployed in downstream Cisco Catalyst chassis, close to protected resources in the data center, or in upstream chassis to provide more widespread coverage.

The Cisco Traffic Anomaly Detector Module can also be configured to proactively send alerts to network operators and to the Cisco Anomaly Guard Module to initiate rapid response to attack conditions, including automated mitigation services to quickly thwart the attack. A Simple Network Management Protocol (SNMP) MIB also makes all device-level, protected-zone-level, and attack-level statistics available to standards-based management systems.

In integrated mode, one or more Cisco Traffic Anomaly Detector Modules are installed in existing Cisco Catalyst 6500 Series or Cisco 7600 Series chassis deployed in the data center and residing in the normal Layer 3 data path. A copy of traffic destined for resources to be monitored for protection must be sent to the Traffic Anomaly Detector Module by Switched Port Analyzer (SPAN) sessions, by physical port or VLAN, or by VLAN access control list (VACL) capture.

In dedicated mode, the Cisco Traffic Anomaly Detector Module is installed in a dedicated Cisco Catalyst 6500 Series switch or Cisco 7600 Series router adjacent to a downstream switch or router near the devices or zones being protected, providing a more scalable solution for large and growing environments. In this configuration, a copy of traffic must be sent to the dedicated switch or router via remote SPAN or fiberoptic link splitter.

The Cisco Traffic Anomaly Detector Module can be installed in either integrated or dedicated mode, imposing either a one- or two-step packet-capture process to receive a copy of traffic for monitoring. Whether in integrated or dedicated mode, when an attack is detected, the Traffic Anomaly Detector Module responds in one of three ways-it can send an alert to initiate a manual response, it can trigger an existing management system to take action, or it can automatically launch the Cisco Anomaly Guard Module or Cisco Guard XT appliance to immediately begin mitigation services.

Applications

Cisco DDoS anomaly detection and mitigation solutions can be deployed in various topologies serving both enterprises and service provider environments (Figures 3-5).

Installed inside a Cisco Catalyst 6500 Series switch or Cisco 7600 Series router, the Cisco Traffic Anomaly Detector Module integrates complete DDoS detection capabilities into the network infrastructure. Modules can be easily installed in existing switches or routers, allowing powerful DDoS protection services to be deployed where and when they are needed, without consuming any interface ports. High-density dedicated appliances or multiservice security switches can also be deployed, using any range of chassis sizes and with high-availability, DC power, and Network Equipment Building Standards (NEBS) options. Interoperable line cards help ensure media flexibility. Packet capture may be completely intrachassis, or may occur across devices using remote SPAN or fiber link splitters.

Scalability

Where high-capacity protection is required, up to four modules can be installed in a single switch to support large and rapidly expanding environments. Additionally, the Cisco Traffic Anomaly Detector Module's multiprocessor architecture and multiple gigabit backplane interfaces can support future licensed software upgrades to multigigabit performance per module.

Reliability and High Availability

The Cisco Traffic Anomaly Detector Module maintains the performance, reliability, and robust architecture of the standalone Cisco Traffic Anomaly Detector XT appliance. When deployed in a Cisco Catalyst 6500 Series switch or Cisco 7600 Series router, the Traffic Anomaly Detector Module supports highly reliable redundant configurations, including redundant supervisor engines, backplanes, power supplies, and fans. In addition, Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers offer Control Plane Policing for DDoS hardening, as well as high-availability options.

Lower Cost of Ownership

Since the modules are integrated into Cisco Catalyst 6500 Series switches or Cisco 7600 Series routers along with other services modules, there are fewer devices to manage, reducing the cost of operation. In addition, because the application software is similar to the appliance application software, training costs are minimized. With this modular approach, customers can use their existing switching and routing infrastructures for cost-effective deployment-and can do so while obtaining the highest performance available in the industry and providing secured IP services along with multilayer LAN and WAN switching and routing capabilities.

Summary

Working in concert with the Cisco Anomaly Guard Module, the Cisco Traffic Anomaly Detector Module contributes to a complete security solution that helps ensure uninterrupted business operations, even in the face of the most malicious DDoS attacks. This translates into a significant competitive advantage, providing uncompromised availability and unparalleled protection of the most valuable business assets.

• Switch Fabric Module (SFM) required on the Supervisor Engine 2 to process more than 1 Gbps of traffic.

• On the Cisco Catalyst 6500 Series switch, IOS support is only upto IOS® Software Release 12.2(18)SXE..

• On the Cisco 7600 Series routers, IOS support is on Software Release 12.2(18)SXE and also on the 12.2(33)SRA/SRB release.

• Occupies one slot in a Cisco Catalyst 6500 Series switch or Cisco 7600 Series router.

• Up to 6 Cisco Traffic Anomaly Detector Modules may be deployed in a single 9 slot chassis, either protecting the same destinations in load-sharing mode or different destinations. If deploying Cisco Anomaly Guard Modules and Cisco Traffic Anomaly Detector Modules in the same chassis, a combined total of eight modules may be installed. For nonstandard installations, consult the release notes or your Cisco technical support representative.

Whether your company is a large organization, a commercial business, or a service provider, Cisco is committed to maximizing the return on your network investment. Cisco offers a portfolio of technical support services to help ensure that your Cisco products operate efficiently, remain highly available, and benefit from the most up-to-date system software.